Re: [PATCH v2 5/7] tools: secure guest check for AMD in virt-host-validate

Erik Skultety <eskultet@xxxxxxxxxx> · Mon, 8 Jun 2020 16:41:34 +0200

On Fri, May 29, 2020 at 12:10:07PM +0200, Paulo de Rezende Pinatti wrote:
> From: Boris Fiuczynski <fiuczy@xxxxxxxxxxxxx>
>
> Add checking in virt-host-validate for secure guest support
> on x86 for AMD Secure Encrypted Virtualization.
>
> Signed-off-by: Boris Fiuczynski <fiuczy@xxxxxxxxxxxxx>
> Reviewed-by: Paulo de Rezende Pinatti <ppinatti@xxxxxxxxxxxxx>
> Reviewed-by: Bjoern Walk <bwalk@xxxxxxxxxxxxx>
> ---
>  tools/virt-host-validate-common.c | 29 +++++++++++++++++++++++++++--
>  tools/virt-host-validate-common.h |  1 +
>  2 files changed, 28 insertions(+), 2 deletions(-)
>
> diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c
> index 8ead68798f..de007f2c43 100644
> --- a/tools/virt-host-validate-common.c
> +++ b/tools/virt-host-validate-common.c
> @@ -41,7 +41,8 @@ VIR_ENUM_IMPL(virHostValidateCPUFlag,
>                "vmx",
>                "svm",
>                "sie",
> -              "158");
> +              "158",
> +              "sev");
>
>  static bool quiet;
>
> @@ -447,15 +448,18 @@ int virHostValidateSecureGuests(const char *hvname,
>                                  virHostValidateLevel level)
>  {
>      virBitmapPtr flags;
> -    bool hasFac158 = false;
> +    bool hasFac158 = false, hasAMDSev = false;

^one variable definition per line

>      virArch arch = virArchFromHost();
>      g_autofree char *cmdline = NULL;
>      static const char *kIBMValues[] = {"y", "Y", "on", "ON", "oN", "On", "1"};
> +    g_autofree char *mod_value = NULL;
>
>      flags = virHostValidateGetCPUFlags();
>
>      if (flags && virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_FACILITY_158))
>          hasFac158 = true;
> +    else if (flags && virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_SEV))
> +        hasAMDSev = true;
>
>      virBitmapFree(flags);
>
> @@ -485,6 +489,27 @@ int virHostValidateSecureGuests(const char *hvname,
>              virHostMsgFail(level, "Hardware or firmware does not provide "
>                                    "support for IBM Secure Execution");
>          }
> +    } else if (hasAMDSev) {
> +        if (virFileReadValueString(&mod_value, "/sys/module/kvm_amd/parameters/sev") < 0) {
> +            virHostMsgFail(level, "AMD Secure Encrypted Virtualization not "
> +                                  "supported by the currently used kernel");
> +            return 0;
> +        }

empty line here...

> +        if (mod_value[0] != '1') {
> +            virHostMsgFail(level,
> +                           "AMD Secure Encrypted Virtualization appears to be "
> +                           "disabled in kernel. Add mem_encrypt=on "
> +                           "kvm_amd.sev=1 to kernel cmdline arguments");
> +            return 0;
> +        }

and here...

Reviewed-by: Erik Skultety <eskultet@xxxxxxxxxx>